From 58cad3f503f184baeb79507d6c2130fdf7a3fe4e Mon Sep 17 00:00:00 2001
From: M66B <M66B@users.noreply.github.com>
Date: Sat, 26 Jun 2021 09:53:18 +0200
Subject: [PATCH] Escape place holders

---
 app/src/main/java/eu/faircode/email/EntityAnswer.java | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/app/src/main/java/eu/faircode/email/EntityAnswer.java b/app/src/main/java/eu/faircode/email/EntityAnswer.java
index 1d3315e4a4..c260b29bdc 100644
--- a/app/src/main/java/eu/faircode/email/EntityAnswer.java
+++ b/app/src/main/java/eu/faircode/email/EntityAnswer.java
@@ -19,6 +19,8 @@ package eu.faircode.email;
     Copyright 2018-2021 by Marcel Bokhorst (M66B)
 */
 
+import android.text.Html;
+
 import androidx.annotation.NonNull;
 import androidx.room.Entity;
 import androidx.room.PrimaryKey;
@@ -113,10 +115,10 @@ public class EntityAnswer implements Serializable {
             }
         }
 
-        text = text.replace("$name$", fullName == null ? "" : fullName);
-        text = text.replace("$firstname$", first == null ? "" : first);
-        text = text.replace("$lastname$", last == null ? "" : last);
-        text = text.replace("$email$", email == null ? "" : email);
+        text = text.replace("$name$", fullName == null ? "" : Html.escapeHtml(fullName));
+        text = text.replace("$firstname$", first == null ? "" : Html.escapeHtml(first));
+        text = text.replace("$lastname$", last == null ? "" : Html.escapeHtml(last));
+        text = text.replace("$email$", email == null ? "" : Html.escapeHtml(email));
 
         return text;
     }